njrat | a99fb7b3c1ac48a0501f1c91c578bb6306f69fbfd7afc09dfbcb6a6acb8157ee | Triage

Sharing

General

Target

a99fb7b3c1ac48a0501f1c91c578bb6306f69fbfd7afc09dfbcb6a6acb8157ee
Size

37KB
Sample

240918-amzeyaselc
MD5

3d24325e0de8ce6ac6e58c6d7b562fb5
SHA1

b47f28320e9bf413506abe27f214f9e8065b5adf
SHA256

a99fb7b3c1ac48a0501f1c91c578bb6306f69fbfd7afc09dfbcb6a6acb8157ee
SHA512

85524a3a525ebc9e8af24a65d1c8aebddc59a373ce47123fc26fc7513bf01bf7c51ee5b67b3681569d217b32754a90b204b132ea41a5db7fbb9fbd00ade7c85a
SSDEEP

384:UkujKicgkjn5xL5oyUi8mfF2jfP3lYiEASrAF+rMRTyN/0L+EcoinblneHQM3ep5:ruOf5DUi8o2jfdVEDrM+rMRa8NuBvt

Score

10^/10

njrat sas595959595959 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Sas595959595959

C2

ru.tuna.am:25052

Mutex

4ff16c8fdeb8e3ee81ab4855ac4d97c2

Attributes

reg_key
4ff16c8fdeb8e3ee81ab4855ac4d97c2
splitter
|'|'|

Targets

- Target
  
  a99fb7b3c1ac48a0501f1c91c578bb6306f69fbfd7afc09dfbcb6a6acb8157ee
- Size
  
  37KB
- MD5
  
  3d24325e0de8ce6ac6e58c6d7b562fb5
- SHA1
  
  b47f28320e9bf413506abe27f214f9e8065b5adf
- SHA256
  
  a99fb7b3c1ac48a0501f1c91c578bb6306f69fbfd7afc09dfbcb6a6acb8157ee
- SHA512
  
  85524a3a525ebc9e8af24a65d1c8aebddc59a373ce47123fc26fc7513bf01bf7c51ee5b67b3681569d217b32754a90b204b132ea41a5db7fbb9fbd00ade7c85a
- SSDEEP
  
  384:UkujKicgkjn5xL5oyUi8mfF2jfP3lYiEASrAF+rMRTyN/0L+EcoinblneHQM3ep5:ruOf5DUi8o2jfdVEDrM+rMRa8NuBvt
Score

10^/10

njrat sas595959595959 discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

sas595959595959njrat

behavioral1

njratsas595959595959discoveryevasionpersistenceprivilege_escalationtrojan

behavioral2